Installing MongoDB
What is MongoDB?
For the n00bs, you can get an introduction about MongoDB from this link.
Configure Package Management System (APT)
The Ubuntu package management tool (i.e. dpkg and apt) ensure package consistency and authenticity by requiring that distributors sign packages with GPG keys. Issue the following command to import the 10gen public GPG Key:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10
Create a /etc/apt/sources.list.d/10gen.list file
$ sudo touch /etc/apt/sources.list.d/10gen.list
and include the following line for the 10gen repository.
echo "deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen" >> /etc/apt/sources.list.d/10gen.list
Now reload your repository:
$ sudo apt-get update
Install Packages
$ sudo apt-get install mongodb-10gen
Configure MongoDB
Few very initial things to remember are:
- Remove IP Binding from all to just the IP (private or localhost), you expect to get Connection Request
# Only accept local connections bind_ip = 127.0.0.1
- Change the default Port Bindings
# Connecting port of mongodb port = 7171
- Authentication for all users
Creating MongoDB Users
To adding a new user is fairly straight forward …
Read/Write User$ mongo > use admin > db.addUser("admin", "@mm@123@m@+@rAn!")This creates a read/write user for the database admin (you can choose any username you wish.)
Restart the mongo with--authenabled.$ sudo mongod --auth --dbpath /var/lib/mongodb/
User Authentication in MongoDB
$ mongo localhost:7171/admin --username "admin" -password "@mm@123@m@+@rAn!"
- Give only required permissions (like no update/delete permissions to select query users)
Read Only User
> db.addUser("monkey", "tinkerbelle", true)The “true” parameter there makes the user read only (great for parts of the application code that you want to make sure never accidentally preform a write operation.)
- Removing all the default databases
> show dbs admin 0.203125GB local (empty) test (empty)
Databases test and local are defualt one’s. So we can drop all default databases.
> use test; switched to db test > db.dropDatabase(); { "dropped" : "test", "ok" : 1 } > use local; switched to db local > db.dropDatabase() { "dropped" : "local", "ok" : 1 } - Setup ssh keys for required master-slave connection, removing involvement of passwords
In-order to tunnel a connection to a mongodb over ssh like so.$ ssh -L LOCAL_PORT_NO_TO_LISTEN:host_with_mongo_connection:MONGODB_REMOTE_PORT_NO user@IP_ADDRESS_OF_THE_BOX_WITH_MONGODB
Thus, if the mongod is running on the server you have ssh access to, then the command would look like this:
$ ssh -L LOCAL_PORT_NO_TO_LISTEN :localhost:MONGODB_REMOTE_PORT_NO user@ssh_and_mongo_box
- You can even setup an encrypted tunnel (vpn) for connection between your application and mongodb
Traffic to and from mongod Instances
This pattern is applicable to all mongod instances running as standalone instances or as part of a replica set.
The goal of this pattern is to explicitly allow traffic to the mongod instance from the application server. In the following examples, replace <ip-address> with the IP address of the application server:
$ iptables -A INPUT -s <ip-address> -p tcp --destination-port MONGODB_PORT_NO -m state --state NEW,ESTABLISHED -j ACCEPT $ iptables -A OUTPUT -d <ip-address> -p tcp --source-port MONGODB_PORT_NO -m state --state ESTABLISHED -j ACCEPT
The first rule allows all incoming traffic from <ip-address> on port 27017, which allows the application server to connect to the mongod instance. The second rule, allows outgoing traffic from the mongod to reach the application server.
Optional: If you have only one application server, you can replace <ip-address> with either the IP address itself, such as: 10.23.33.3. You can also express this using CIDR notation as 10.23.33.3/32. If you want to permit a larger block of possible IP addresses (i.e while playing attack/defense type CTF as a team in a VPN) you can allow traffic from a /24 using one of the following specifications for the <ip-address>, as follows:
10.23.33.3/24 10.23.33.3/255.255.255.0
Sample secure config file of mongodb (/etc/mongodb.conf)
# mongodb.conf # Where to store the data. # Note: if you run mongodb as a non-root user (recommended) you may # need to create and set permissions for this directory manually, # e.g., if the parent directory isn't mutable by the mongodb user. dbpath=/var/lib/mongodb # Only accept local connections bind_ip = 127.0.0.1 #where to log logpath=/var/log/mongodb/mongodb.log logappend=true # Connecting port of mongodb port = 7171 # Disables write-ahead journaling # nojournal = true # Enables periodic logging of CPU utilization and I/O wait #cpu = true # Turn on/off security. Off is currently the default #noauth = true auth = true # Verbose logging output. #verbose = true # Inspect all client data for validity on receipt (useful for # developing drivers) #objcheck = true # Enable db quota management #quota = true # Set oplogging level where n is # 0=off (default) # 1=W # 2=R # 3=both # 7=W+some reads #diaglog = 0 # Ignore query hints #nohints = true # Disable the HTTP interface (Defaults to localhost:28017). nohttpinterface = true # Turns off server-side scripting. This will result in greatly limited # functionality noscripting = true # Turns off table scans. Any query that would do a table scan fails. #notablescan = true # Disable data file preallocation. #noprealloc = true # Specify .ns file size for new databases. # nssize = <size> # Accout token for Mongo monitoring server. #mms-token = <token> # Server name for Mongo monitoring server. #mms-name = <server-name> # Ping interval for Mongo monitoring server. #mms-interval = <seconds> # Replication Options # in master/slave replicated mongo databases, specify here whether # this is a slave or master #slave = true #source = master.example.com # Slave only: specify a single database to replicate #only = master.example.com # or #master = true #source = slave.example.com # in replica set configuration, specify the name of the replica set # replSet = setname
FOR-BIN-SEC 